In relation to communications carried out by way of the Internet, there is recently an increase in the number of threats from man-in-the-middle (MITM) attacks, such as phishing, safe communications have become hardly performed by means of only encrypted communications, so that a desire exists for countermeasures against the MITM attacks.
One of the related-art methods for safely performing communications is an SSL encrypted communication. Further, a mechanism for lessening attacks from MITM has already been built in the SSL encrypted communication. In the SSL encrypted communication, there has been employed a method for determining whether a communication is established with an authorized other party by checking a server certificate.
However, since the server certificate is visually checked in principle, it involves consumption of much time and effort. Further, if a server certificate similar to a genuine server certificate is available for the MITM, difficulty will be met in determining whether the server certificate is a fake. In order to solve the problem, an ordinary HTTP browser automatically displays a warning when a server certificate has a problem. However, the automatic check includes only a check as to whether or not a server certificate has previously been certified by a registered certification authority and whether or not problems exist in the form of a server certificate, such as an expiry date or a digital signature. If the MITM has a formally authorized server certificate or if the MITM has registered its server certificate in an HTTP browser in such a way that the browser trusts the certificate by utilization of virus software, or the like, the server certificate will not make any effects.
In order to augment the automatic check, greatly enhanced server certificates called EV certificates have recently come along. However, the EV certificates make it difficult, in some degree, to make attacks, but the essential problem still remains unsolved.
Further, as the server certificates are augmented, greater expenses are consumed, which poses difficulty in public use of server certificates.
As has been mentioned above, truly effective, inexpensive measures for preventing MITM attacks have never been realized, in connection with encrypted communication established between two points that are unknown to each other.
Against the backdrop, whether or not it is possible to prevent MITM attacks even solely in a period during which two points share secret information, such as a password, has naturally cropped out as a topic. Although being subject to such a constraint, the topic is still significant.
In the Internet communication in which a user is identified by a password; for instance, online banking or viewing of network cameras, the user is granted a right to exercise its own right; hence, the communication is attractive for attackers to make attacks. Conversely, when communicating parties are indefinite, a value of information is low, which is less attractive for attackers to make attacks. Accordingly, if MITM attacks can be prevented even solely in a period during which a password is shared between two points, protection is very significant from the viewpoint of the extent of damage.
If a password whose bit length is long to such an extent that it is cryptographically determined to be safe is secretly held between two points, encrypted communication can be safely implemented by utilizing the password as a common key. However, it is difficult for ordinary persons to memorize the password.
Accordingly, it has been expected to be able to prevent MITM attacks by use of a password a person can memorize; namely, secret information whose bit length is not long to such an extent that it is cryptographically determined to be safe.
EKE (Encrypted Key Exchange) has hitherto been known as such a method (see Non-Patent Literature 1).